The 8 Steps to a Successful Data Protection Impact Assessment (DPIA)

Date: 25th June 2018 |  Author: Mark Bowers
Professional Insurance

GDPR has impacted upon the way businesses and organisations process data. Does your organisation need to perform a data protection impact assessment?

In your organisation’s GDPR compliance efforts, you most likely will need to complete a data protection impact assessment (DPIA). While only a requirement for specific types of processing under the GDPR, this evaluation helps you to identify, assess, and mitigate or minimise privacy risks with your personal data processing activities.

Under the GDPR, your organisation is required to conduct a DPIA if you meet at least one of these conditions:

  • You use systematic and extensive profiling with significant effects
  • You process special category or criminal offence data on a large scale
  • You systematically monitor publicly accessible places on a large scale

Regardless of the reason why your organisation is conducting a DPIA, the evaluation must meet the following criteria:

  • It must describe the nature, scope, context and purposes of the data processing
  • It must assess necessity, proportionality and compliance measures
  • It must identify and assess risks to individuals
  • It must identify any additional measures to mitigate those risks

After you have determined that a DPIA is necessary, you should follow these eight steps to successfully carry it out:

  1. Describe how the personal data will be processed.
  2. Consider whether consultation with all relevant stakeholders would be necessary as well as whether you should consult your DPO or other data security expert.
  3. Review your lawful basis for processing to determine whether the pending data processing will achieve your purpose or if there is an alternate solution.
  4. Identify the potential risks of processing the data.
  5. Provide solutions to reduce the impact of potential risks of the data processing.
  6. Sign off on the DPIA and record its outcome.
  7. Integrate the DPIA outcome into the project’s plan.
  8. Observe your data processing activities and make adjustments.

To help your organisation determine whether a DPIA is necessary and to complete one successfully, the ICO has released a sample template.

Protect against cyber risks

Even with your best efforts, there are always risks when processing data in the public domain.

To reinforce your efforts to combat risks under GDPR, Bollington can provide appropriate cyber liability insurance to meet the needs of your organisation. Contact us on 0161 929 1851 to find out more about how our cyber insurance policy can protect your business.